eCommerce Fraud Prevention and Detection Best Practices for Businesses
While eCommerce fraud attacks are nothing new, bad actors are becoming ever more sophisticated. The rise in online commerce accelerated by the pandemic has increased the threat to the extent that eCommerce merchants may lose $US24 billion to online payment fraud by 2024¹. The remote purchase of physical goods is the leading culprit, accounting for over 47% of online payment fraud losses in 2021².
It's more important than ever to take proactive steps to detect and prevent eCommerce fraud. Investing in the right eCommerce fraud prevention solutions can make a big difference in customer safety and financial results. We've identified the top 10 types of eCommerce fraud, signs to watch out for and the eight industry best practices for detecting them.
10 eCommerce fraud types
- Payments fraud
- Friendly fraud/chargebacks
- Account takeover (ATO) fraud
- Retail arbitrage fraud
- New account opening (NAO) fraud
- eGift card fraud
- Refund fraud
- Promotion or coupon fraud
- Triangulation fraud
- Interception fraud
1. Payments fraud
Payments fraud occurs when bad actors use stolen credit cards to purchase goods and profit by reselling items. Card-not-present (CNP) transactions are most at risk for this type of fraud because the bad actor doesn't have to present the card at the point of purchase. Businesses that don't proactively prevent payments fraud risk losing money to chargebacks, false positives, and operational inefficiencies.
2. Friendly fraud / Chargeback
Friendly fraud chargeback occurs when a consumer makes an online purchase and then disputes the charge with their bank. These disputes often end in chargebacks for the merchant. In some cases, the consumer has malicious intent to dispute the payment and keep the goods or services. But more often, consumers call their credit card companies or banks to dispute charges they don't recognise.
Usually, friendly fraud isn't attributed to criminal enterprises, but it can still damage profits and affect inventory. However, businesses and merchants can prevent friendly fraud, resolve disputes, and avoid chargebacks with a real-time chargeback prevention solution.
3. Account takeover (ATO) fraud
Account takeover fraud occurs when a human, bot, or botnet uses stolen credentials to access customer accounts. Once they have access, bad actors can drain monetary funds or loyalty points, steal customer data, or purchase goods or services. Beyond lost revenue, account takeover fraud damages brand reputations and can permanently erode the trust of good customers.
This type of non-financial credentials fraud is due to the dark web demand for stolen email addresses, passwords, and other private personal information. When a bad actor discovers the right combination of username and password, they can access and exploit genuine customer accounts.
4. Retail arbitrage fraud
Retail arbitrage fraud occurs when malicious bots allow a single buyer to purchase large quantities of discounted items for resale on a different marketplace. This type of fraud can quickly undercut revenue and profits, drain inventory, and steal discount-conscious customers away. Retail arbitrage fraud can result in dramatic price differences across marketplaces and poor customer experiences that can reflect poorly on brands.
Bots are evolving, so malicious bots are becoming harder to detect and block with perimeter security, web application firewalls, and content delivery networks. The latest generation of bot detection solutions can accurately identify and classify even the most sophisticated bots. They can block malicious bot activity, allow good bot activity, and verify questionable bot activity with step-up authentication.
5. New account opening (NAO) fraud
New account opening fraud occurs when a bad actor creates new accounts to take advantage of offers and services. The bad actor creates the account using bits and pieces of real identity data. This makes it hard for the merchant to determine if the account belongs to a legitimate customer. Without eCommerce fraud detection methods, this can lead to identity fraud and illegitimate purchases online.
6. eGift card fraud
With eGift card fraud, a bad actor steals a consumer's payment information and buys an eGift card. From there, the bad actor may resell the eGift card online. When another consumer buys it, the bad actor pockets the consumer's money and payment information. Meanwhile, the original consumer whose payment information the bad actor used to purchase the eGift card calls their credit card company to dispute the charge. The dispute ends in a chargeback for the merchant.
eGift card fraud is difficult to trace because bad actors don't have to ship cards to an address. So when it comes to resolving eGift card fraud, merchants take a significant financial hit. Luckily, there are several ways businesses and merchants can avoid eGift card fraud.
7. Refund fraud
Refund fraud is a big problem for any company that ships goods or accepts returns. Essentially, refund fraud happens when bad actors exploit gaps in logistics or fulfilment processes to turn a profit or get goods for free. There are several kinds of refund fraud, including did-not-arrive (DNA), an empty box or partially empty box, fake tracking ID (FTID), and refund as a service. Some bad actors are part of larger, more organised groups abusing refund policies.
But not all bad actors are in those bigger groups. Some are opportunistic customers. And unfortunately, refund fraud happens without a chargeback or a traditional dispute to alert the merchant, making it hard to detect.
8. Promotion or coupon fraud
Businesses depend on promotional sales and lead-generating promotional campaigns to acquire new customers and keep loyal customers happy. In promotion or coupon fraud, a bad actor abuses a business's coupon or promotional policies. Bad actors may attempt to defraud a business by using promotional codes multiple times or abusing coupon policies to obtain goods for free. Referral programs and sale-saving tactics like cart abandonment and apology vouchers are most at risk for this type of fraud.
9. Triangulation fraud
Triangulation fraud occurs when bad actors build fake online stores to sell items at cheaper prices. The fake store has a single purpose: to steal credit card data. After the bad actor collects a consumer's credit card information, they forward the legitimate transaction to the real merchant. The real merchant charges the customer a second time, which leads to chargebacks. If the consumer doesn't realise their credit card information was compromised, the bad actor may keep the stolen data and make purchases elsewhere.
10. Interception fraud
With interception fraud, bad actors attempt to intercept a customer's order and obtain goods for resale. To do this, the bad actor will contact a vendor's customer service partner to have the order's shipping address changed to their own. Bad actors may also approach the shipping company directly and ask them to reroute a delivery to an alternative address so they can intercept it. Interception fraud requires taking over a customer's account to access order and shipping details.
10 signs of eCommerce fraud
Establishing trust in a users’ identity is the best way to prevent eCommerce fraud. Manual reviews alone will be unsustainable when online orders increase. But there are ten signs of eCommerce fraud all businesses and merchants can watch for:
- Customers create new email addresses to make purchases.
- Customers place higher- or lower-than-average orders.
- Customers place multiple orders in quick succession.
- Customers pay more for expedited shipping.
- Customers ship items to unusual locations.
- Customers order a product in large quantities.
- Customers use multiple shipping addresses.
- Customers use shipping or billing addresses that don't match their IP addresses.
- Customers use multiple cards from a single IP address.
- Customers ship numerous orders to the same address using different cards.
1. Customers create new email addresses to make purchases
Consumers often use the same email addresses for many years, so customers registering new email addresses may indicate fraud. Knowing an email address's date first seen, for example, can help establish identity trust. If an email address has an age of zero, it may indicate that a bad actor created the email address on the day for fraud.
Meanwhile, the email address's date last seen can indicate how long it's been since a customer used that email address. An email address that hasn't been seen in several years, for example, may have been accessed through account takeover fraud.
2. Customers place higher- or lower-than-average orders
If a good customer suddenly places an order significantly higher than average, they may be a victim of fraud. The same goes for good customers who place lower-than-average orders, as they may be the victims of account takeover fraud. A business's products, services, or industry standards may determine what behaviour is normal or risky. But, generally, purchases that are too high or too low may cause suspicion.
3. Customers place multiple orders in quick succession
If a business finds that customers place multiple orders in rapid succession in small denominations, a bad actor may be card testing. Bad actors use card testing to validate stolen credit cards. Once they confirm which credit card numbers are live, they can make larger fraudulent purchases.
With card testing, a bad actor may place multiple small orders on one or many credit cards at once or within a short time frame. Essentially, they're weeding out cancelled or invalid numbers. Quick-service restaurants, in particular, are prime targets for card testing because they offer low-dollar-value items.
4. Customers pay more for expedited shipping
Bad actors may expedite shipping on fraudulent purchases to decrease a merchant's chances of manually reviewing the order. They know stolen cards have a short lifespan, so they're more likely to pay for faster, more expensive shipping. After all, it's not their money the bad actor is spending. This sign of eCommerce fraud goes hand in hand with orders that are significantly higher than average. Expedited shipping isn't a red flag on its own. But it may be a strong indicator if merchants see it with other items on this list.
5. Customers ship items to unusual locations
Mismatched shipping and billing addresses may indicate fraud, especially if the discrepancy is several states or countries apart and not marked as gifts. If a business predominantly sells domestically, an unexpected uptick in international orders may also indicate fraud.
6. Customers order a product in large quantities
If a business receives orders for higher-than-average quantities of one product, the orders might be fraudulent. As other circumstances on this list highlight, bad actors tend to expedite large orders, knowing victims can cancel stolen cards at any time. If a large order for the same product comes through, consider following up with the customer to confirm and clarify purchase details.
7. Customers use multiple shipping addresses
Sometimes bad actors place orders to multiple shipping addresses with several stolen cards, each placed under different names. If a customer's account has multiple shipping addresses attached to it, this is a red flag.
8. Customers use shipping or billing addresses that don't match their IP address
The benefit of eCommerce stores is that businesses can track the most granular details of a customer's order: from their billing and shipping addresses to their IP address at checkout. If these don't match, it should raise a red flag. For example, the transaction may require more scrutiny if an IP address and a shipping address differ from an order's billing address.
9. Customers use multiple cards from a single IP address
If customers place orders from the same IP address but several cards, this could indicate a problem. Although it's not unusual for customers to have more than one card, several cards — especially used at the same time — should be considered suspicious.
10. Customers ship multiple orders to the same address using different cards
This is a sign of lazy eCommerce fraud, yet it happens. Often, bad actors won't steal information from a single card but will use multiple cards. Then they'll attempt to place fraudulent orders with different cards and ship them to the same address. It could be fraud if a customer ships multiple orders with different cards to the same address, whether over one transaction or several.
Kount’s Fraud Protection Platform detects these suspicious activities and automatically approves, declines or holds transactions without you having to monitor them manually.
8 industry best practices for eCommerce fraud detection
The following industry best practices can help prevent eCommerce fraud, whether used individually or in conjunction with other behavioural indicators.
- Implement AI and machine learning.
- Link fraud signals from a data network that's larger than your own.
- Implement risk-based or step-up authentication.
- Implement card security code requirements.
- Partner with a reliable third-party payment processor.
- Follow PCI standards.
- Train customer service reps on fraud.
- Keep fraud prevention software updated.
1. Implement AI and machine learning
The best way to detect and prevent eCommerce fraud is with automated decisioning and minimal human interaction. AI fraud prevention simulates the work of experienced fraud analysts by weighing the risk of fraud against the customer's value on a faster and more scalable basis.
AI can weigh fraud risks with the help of supervised and unsupervised machine learning. Supervised machine learning detects emerging fraud attacks, and unsupervised machine learning accounts for past decisions. eCommerce businesses that use AI don't just detect and prevent fraud. They accept more good orders, reduce manual reviews, and have more control over business outcomes.
2. Link fraud signals from a data network that's larger than your own
A single sign of fraud or purchase-related red flag isn't enough to indicate fraud. Businesses and fraud analysts should take the identity elements they capture from customer interactions and link these to a robust data network to evaluate and establish a better trust decision.
A data network like Kount provides billions of digital interactions from industries across the globe. Using a network like this which is strongly associated with eCommerce and has processed billions of similar interactions to detect fraud can help analysts determine if a purchase is legitimate. The more data an eCommerce business has, the faster and more accurately it can detect fraud.
3. Implement risk-based or step-up authentication
Implementing strong password requirements on your customer accounts can reduce fraudulent activity. The better the password, the harder it will be for a bad actor to break into a customer's account. But safety isn't guaranteed.
With risk-based authentication (RBA) or step-up authentication, issuing banks apply varying levels of scrutiny to authentication processes based on the interaction's level of risk. The higher the risk, the more rigorous the authentication process. Step-up authentication challenges the end user to provide additional information when the interaction looks suspicious or risky and may present a higher likelihood of fraud.
4. Implement card security code requirements
Some eCommerce activities, like card-not-present (CNP) transactions, pose a higher risk of fraud. In a CNP transaction, a customer isn't required to present a card to complete a purchase. CNP transactions are common when customers make purchases online, via mobile app, or over the phone.
These transactions pose a higher risk of fraud because businesses and merchants can't verify a cardholder's identity easily. Businesses should implement card security code requirements to prevent CNP fraud. Asking for each card's three- or four-digit code can reduce the probability that a transaction is fraudulent.
5. Partner with a reliable third-party payment processor
Outsourcing fraud checks to a third-party payment processor is one of the easiest and safest ways to prevent eCommerce fraud. Third-party payment processors often manage customer chargebacks, security compliance, and data storage.
Keeping customer data safe should be a top priority, especially if customers save their credit card details in their accounts. A third-party payment processor can keep customers' private information secure, cutting the number of eCommerce fraud attempts against a store.
6. Follow PCI standards
Payment Card Industry (PCI) standards help businesses protect themselves and their customers from eCommerce fraud. PCI standards include six major objectives and 12 key requirements. MasterCard, American Express, and Visa set PCI standards to safeguard consumer data.
The Payment Card Industry Security Standards Council enforces these standards, which are mandatory for online retailers. Most major payment processors comply with PCI standards. But businesses and merchants must do their research before choosing a third-party payment processor.
7. Train customer service reps on fraud
Training can play a crucial role in preventing fraudulent activity. With a well-trained customer support team and stringent security system, businesses are less likely to be victims of fraud. With sufficient anti-fraud training, customer service representatives can more effectively identify and respond to potentially fraudulent inquiries.
8. Keep fraud prevention software updated
If a business uses software to prevent eCommerce fraud, keep that software updated. Bad actors are constantly finding ways to avoid getting caught, and anti-fraud software providers adjust to fight them every step of the way. But software that's out of date can leave businesses vulnerable to new fraud patterns.
Anti-fraud software relies on security patches to prevent evolving fraud behaviours and protect against new viruses and malware. Without updates, businesses risk bad actors accessing data and sidestepping measures that reduce fraudulent activity.
ECommerce fraud detection is easier than ever
Kount protects the entire customer journey and reduces manual reviews by up to 83%.
Following basic best practices can provide some eCommerce fraud protection, but most businesses can't do it alone. But relying on manual reviews alone is tedious, hard to scale, and prone to human error.
Businesses should invest in powerful fraud prevention platforms and software to efficiently and accurately scale eCommerce fraud detection and prevention. With Kount’s AI-driven fraud prevention solution, businesses can prevent emerging fraud, accept more good orders, reduce manual reviews, and control business outcomes.
Kount evaluates risk and trust in milliseconds using AI-powered technology and a global data network comprising the Identity Trust Global Network™. By determining the right level of trust in a user’s identity, businesses can protect revenue and customer data.
Kount's AI simulates an experienced fraud analyst by weighing the risk of fraud against the customer's value. An Omniscore™ safety score is produced for each transaction, so businesses can decide whether to approve, decline or hold transactions based on the level of trust in a user's identity
Kount protects the entire customer journey and creates frictionless experiences for good customers, which is essential for repeat business. For example, global running shoe brand Brooks reduced their chargebacks by 92% and dropped their manual review rate to 2% with Kount.
eCommerce fraud will continue to evolve, but the technology that prevents it has never been more advanced. eCommerce businesses need to know the red flags that indicate fraud so that they can reduce fraudulent activity. Kount can identify those flags to help businesses determine risk levels for each interaction. The results are immediate, including low false positives, high automation, low manual reviews, personalised customer experiences, and frictionless customer interactions – all of which help retailers grow their revenue.
Ready to learn more about Kount? Contact us to speak to an expert and take action against fraud.
1 Online payment fraud: emerging threats, segment analysis & market forecasts 2021-2025, https://www.juniperresearch.com/researchstore/fintech-payments/online-pa...
2 As above
Related Posts
While PEP, sanctions and adverse media screening are vital for customer due diligence, false positives create unnecessary delays and frustration. These inaccurate matches waste time and resources, slowing down onboarding and impacting the customer experience.
So, how can you optimise your screening process and minimise false positives?
When it was announced in 2017 that the world’s most valuable resource is no longer oil but data, organisations were already leveraging data to manage credit risk, predict future trends, and unlock new revenue systems to drive business growth.